Zoltan Borok-Nagy has posted comments on this change. ( http://gerrit.cloudera.org:8080/24388 )
Change subject: IMPALA-15062: Add draft project security threat-model document ...................................................................... Patch Set 1: (29 comments) Thanks Michael for working on this, tried to answer most questions. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md File draft-THREAT-MODEL.md: http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@683 PS1, Line 683: Confirm? Yes. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@683 PS1, Line 683: change with the upcoming : Iceberg-REST-only `impalad` mode No, Iceberg-REST-only behaves the same http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@687 PS1, Line 687: (we propose **yes**) Yes, we treat HMS/Ranger as trusted sources. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@692 PS1, Line 692: "report upstream to Apache Kudu; : we pick up fixes via vendored sync" (proposed)? Seems good to me http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@698 PS1, Line 698: (proposed: **yes**, `OUT-OF-MODEL: equivalent-harm`)? "Yes" seems OK. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@701 PS1, Line 701: disclaim (proposed)? Yes, no sandboxing by design. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@704 PS1, Line 704: Proposed: memory corruption is `VALID`; crash / : exception / slow path / OOM on a malformed file *landed by a writer with : INSERT* is `OUT-OF-MODEL: equivalent-harm`; the same on a writer-controlled : file in a *read-only-to-writer* deployment is `VALID-HARDENING`. *(maps to : §3 item 6, §8 P8, §9, §11a)* Seems OK http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@712 PS1, Line 712: Anything to add or remove? We could add `bin/` which only contain operationsl / helper scripts. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@716 PS1, Line 716: Is the Web UI a per-user authentication surface or a flat-admin : surface? Flat-admin http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@721 PS1, Line 721: do you make any Impala-side : claim about tolerance, or is that entirely the operator's responsibility : (proposed)? Confirm, it's the operator's responsibility http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@726 PS1, Line 726: no child processes besides codegen Impala also spawns: --ssl_private_key_password_cmd --s3a_access_key_cmd --ldap_bind_password_cmd java -version http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@726 PS1, Line 726: no signal handlers besides : breakpad Impala also adds handlers for: SIGPIPE->SIG_IGN SIGTERM->HandleSigTerm SIGUSR1->minidump SIGRTMIN+10->stack-trace http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@727 PS1, Line 727: Any : exceptions? JAVA_TOOL_OPTIONS is read from the environment and merged (not sanitized) http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@742 PS1, Line 742: Proposed across the board: **dev/test, operator must flip per §10**, except : the last. *(maps to §5a, §10, §13)* All proposed "dev/test" http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@746 PS1, Line 746: Is a Web UI port reachable without auth a : `VALID` report on the operator's behalf, or `OUT-OF-MODEL: : non-default-build`? OUT-OF-MODEL: non-default-build. The docs strongly recommend setting --webserver_password_file and the security guidelines explicitly call this out http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@751 PS1, Line 751: Confirm : that setting these is `OUT-OF-MODEL Confirm http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@761 PS1, Line 761: `--cookie_secret_file`: when unset, do HS2-HTTP cookies fall back : to a per-process random secret (proposed)? Is the cookie HMAC algorithm : documented and considered a §8 property? Confirm, when unset, Impala generates a 256-bit cryptographically random key per-process via RAND_bytes() http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@767 PS1, Line 767: **Q16.** Treat `ai_generate_text` responses and JDBC-external-table rows as : data crossing a trust boundary (proposed)? Does Impala itself attempt any : sanitization of LLM responses or external-JDBC rows? *(maps to §6, §10)* Confirm, treat as untrusted data crossing a trust boundary. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@771 PS1, Line 771: is there an enforced maximum (proposed: yes Yes, max_statement_length_bytes = 16 MB http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@775 PS1, Line 775: is admission control (the : `--default_pool_*` family) the entire enforcement, with no engine-level : guard? Mostly true, but we also have concurrency limitation via --fe_service_threads http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@781 PS1, Line 781: (proposed: : game-over) Yes, game-over. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@784 PS1, Line 784: out of : scope (proposed) Yes, out of scope. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@788 PS1, Line 788: so any compromised peer with a valid Kerberos identity is unbounded : (proposed)? Confirm http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@803 PS1, Line 803: (proposed: : **no** — delegated to storage layer)? Confirm http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@807 PS1, Line 807: all delegated to SASL/Kerberos/JWT : libraries? All delegated to SASL/krb5/OpenSSL. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@810 PS1, Line 810: proposed: : **no**, an authorization-view feature with known existence-leak side : channels through error messages and query profiles Confirm, authorization view, not confidentiality boundary. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@816 PS1, Line 816: (proposed: **no**, the : plan is finalized at start) Confirm http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@831 PS1, Line 831: `docs/threat-model.md` LGTM http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@835 PS1, Line 835: Is there an existing Impala threat-model document (Confluence, : internal) that this should reconcile against rather than supersede? I'm not aware of such document -- To view, visit http://gerrit.cloudera.org:8080/24388 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4d9c22f3b95f0a542888e56eeb618423104cc9fd Gerrit-Change-Number: 24388 Gerrit-PatchSet: 1 Gerrit-Owner: Michael Smith <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Michael Smith <[email protected]> Gerrit-Reviewer: Zoltan Borok-Nagy <[email protected]> Gerrit-Comment-Date: Tue, 02 Jun 2026 14:19:43 +0000 Gerrit-HasComments: Yes
